Transcript Virtual Private Networks and IPSec

Virtual Private Networks
and IPSec
ECE 4112
What is a VPN?
• VPN Stands for Virtual Private Network
• A method of ensuring private, secure
communication between hosts over an
insecure medium using tunneling
• Usually between geographically separate
locations, but doesn’t have to be
• Via tunneling and software drivers,
computer is logically directly connected to
a network that it is not physically a part of
ECE 4112 - Internetwork Security
Sidebar: What is tunneling?
• Putting one type of packet inside another
• Both parties must be aware of tunnel for
it to work
• Example in next slide - AppleTalk over IP
Tunnel
ECE 4112 - Internetwork Security
Example: AppleTalk over IP Tunnel
Internet
IP
Appletalk
Gateway
Old Macintosh
(AppleTalk Aware)
Appletalk
encapsulated inside
Appletalk
Gateway
(AppleTalk Aware)
ECE 4112 - Internetwork Security
Old Macintosh
What is a VPN? (cont…)
• Uses some means of encryption to secure
communications
 IPSec
 SSH
 Software could be written to support any type
of encryption scheme
• Two main types of VPNs –
 Remote-Access
 Site-to-Site
ECE 4112 - Internetwork Security
What is a VPN? (cont…)
• Remote-Access
 The typical example of this is a dial-up
connection from home or for a mobile worker,
who needs to connect to secure materials
remotely
• Site-to-Site
 The typical example of this is a company that
has offices in two different geographical
locations, and wants to have a secure
network connection between the two
ECE 4112 - Internetwork Security
Remote-Access Example
Mobile User
VPN over Internet
Network A
VPN Enabled
Gateway
Home User
ECE 4112 - Internetwork Security
Site-to-Site Example
VPN over Internet
Network A
VPN Enabled
Gateway
VPN Enabled
Gateway
ECE 4112 - Internetwork Security
Network B
Why Use a VPN?
• Originally designed as inexpensive
alternative WAN over leased lines
• Now mostly used to securely connect
computers over the internet
• Convenient
• Lot’s of cheap and convenient protocols
are insecure (IP, 802.11, etc)
 Can now communicate securely over these
insecure protocols
ECE 4112 - Internetwork Security
Why Use a VPN? (cont…)
• Example – it can simplify security

(what is about to be proposed is not the most secure thing in the world – so don’t
raise your hands and tell how you would make it more secure… it’s just an example)
 Assume simple security policy with IP based access
management – for example, an FTP server with sitelicensed software on it for employees
 Before VPN, complicated to allow access to FTP site
for telecommuters or traveling employees
– Train all employees to use SSH tunnel, etc…
 After VPN, employees offsite can still connect using
an internal IP address
ECE 4112 - Internetwork Security
VPN Advantages
• Improved Security
• Consolidation of Scattered Resources
• Transparency to Users
 If set up properly
• Reduced Cost (vs. Leased Lines)
ECE 4112 - Internetwork Security
VPN Disadvantages
•
•
•
•
Time Consuming Setup
Possibly Frustrating Troubleshooting
Interoperability with other Networks/VPNs
Small performance overhead
 Should be negligible on today’s hardware
ECE 4112 - Internetwork Security
VPN Security
• In academic terms, VPN can provide
Confidentiality, Integrity, and Authenticity
• Security against determined hacker (read:
academic attacks) depends largely upon
underlying protocols used
• Assuming security of SSH, IPSec, or other
protocol used, should be secure
ECE 4112 - Internetwork Security
How are VPNs set up?
• Many different types of setup
• Vary in:
 Amount of hardware used vs. amount of
software used
– All hardware based
– All software based
– Mixed
 Amount of transparency to end-user
– Does the user even realize that they are using a
VPN?
ECE 4112 - Internetwork Security
How are VPNs set up? (cont…)
• The following is not an exhaustive list
 Gateway to gateway
– Using two VPN aware Gateways
 End host to gateway
– End host uses VPN Software
 End host to end host
– Both hosts use software
 End host to concentrator
ECE 4112 - Internetwork Security
How are VPNs set up? (cont…)
• SSH over PPP
• SSL over PPP
• Concentrator using IPSec
• Others (PPTP, L2TP, etc)
ECE 4112 - Internetwork Security
VPN via SSH & PPP
• Point-to-Point Protocol over a Secure Shell
connection
• Establishing a Network Connection
 Establish an SSH connection
– VPN Client  VPN Server
 Each have PPP daemons that will
communicate through the SSH connection
 Viola! A VPN CONNECTION!
ECE 4112 - Internetwork Security
VPN via SSL & PPP
• Point-to-Point Protocol over a Secure
Socket Layer connection
• Secure Socket Layer
 Built-in support for Host Authentication
 Certificates
ECE 4112 - Internetwork Security
VPN via SSL & PPP (cont…)
• Establishing a Network Connection
 Initial Handshake for secure communication
 “Hello” messages establish:
– SSL Version, support for Cipher suites, and some
random data
 Key is determined separately from handshake
 SSL Connection Complete!
 Data transferred over the link
ECE 4112 - Internetwork Security
VPN via Concentrator
• What is a Concentrator?
 Concentrator is NOT a gateway or firewall
 Specialized device that accepts connections
from VPN peers
 Authenticates clients
 Enforces VPN security policies
 Takes overhead of VPN management and
encryption off of gateways and local hosts
ECE 4112 - Internetwork Security
VPN via Concentrator (cont…)
• Steps to Establish VPN
 Set up Concentrator (add users, specify
authentication mechanisms, set IP address
ranges, etc)
 Install client software
 Client runs software when wants to be on
VPN
ECE 4112 - Internetwork Security
Other Methods
• Point-to-Point Tunneling Protocol
 Microsoft’s Implementation of VPN
 Data is first encapsulated inside PPP packets
 PPP packets are then encapsulated in GRE
packets and sent over the link
• PPTP uses two connections
 One for the data being sent
 Another for a control channel
ECE 4112 - Internetwork Security
Other Methods (cont…)
• Any technology can be used
 Must have hardware or software to support it
• Another example: L2TP on Gateways
 Layer 2 Tunneling Protocol
 Supported by routers
 If two routers support L2TP, and are properly
configured, then VPN is set up between routers
 Transparent to end user
ECE 4112 - Internetwork Security
Intro to IPSec
• Created to add Authentication,
Confidentiality, and Integrity to IP traffic
• Designed to combat specific shortcomings
in IP
• IPSec is large and implementation is
complicated
• What follows is a high-level overview
• As will see in lab, need not be used only
as VPN technology – can be stand alone
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• IP Sec ≠ VPN
 IP Sec is a protocol used in many VPNs
• Two main modes
 Transport
 Tunnel
• Two main services
 AH (Authentication Header protocol)
 ESP (Encapsulating Security Protocol)
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Authentication Header protocol
 Offers Authenticity and Integrity
 Uses cryptographic hash
– Covers entire packet, including static header fields
 If any part of original message changes, it
will be detected
 Does not encrypt message
 Can be used to authenticate –
– Prevents IP Spoofing
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Encapsulating Security Protocol
 Provides Integrity and Confidentiality
 Encrypts payload
 If used in tunnel mode, encrypts original IP
header
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Transport Mode
Real IP Header
IP Options
IPSec Header
Payload (For example, TCP and Payload)
Could be either
ESP Header
Encrypts Over
Or
AH Header
Authenticates Over
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Tunnel Mode
GW IP Header
IPSec Header
Real IP Header
Payload (For example, TCP and Payload)
Could be either
Encrypts Over
ESP Header
Or
AH Header
Authenticates Over
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• AH and ESP can be used together
 Tunnel ESP through AH transport packets
• Want to protect cryptographic keys
• Internet Key Exchange protocol (IKE)
 Secure way to exchange session keys based
on shared secret
 Can also use certificates (public key
cryptography)
ECE 4112 - Internetwork Security
Resources
• Books:
 Building Linux Virtual Private Networks
– Oleg Kolesnikov, Brian Hatch
 Linux Server Hacks
– Rob Flickenger
 Network Security
– Charlie Kaufman, Radia Perlman, Mike Speciner
ECE 4112 - Internetwork Security
Resources (cont…)
• Lecture Slides by Wenke Lee (see below)
• Websites:
http://vpn.shmoo.com/
http://www.tldp.org/HOWTO/VPN-HOWTO/
http://www.onlamp.com/lpt/a/3009
http://www.cisco.com/warp/public/471/how_vpn_wor
ks.shtml
 http://www.cc.gatech.edu/classes/AY2004/cs4803_fal
l/ipsec_1.ppt
 http://www.cc.gatech.edu/classes/AY2004/cs4803_fal
l/ipsec_2.ppt




ECE 4112 - Internetwork Security